This is what the kernel parameters in the file mean:
net.ipv4.ip_forward = 0
This box is not a router, so make sure forwarding is turned off.
net.ipv4.icmp_echo_ignore_broadcasts = 1
Don’t respond to ping broadcasts. Ping broadcasts and multicasts are usually an
attack of some kind, like a Smurf attack. You may want to use a ping broadcast
to see what hosts on your LAN are up, but there are other ways to do this. It is a
lot safer to leave this disabled.
net.ipv4.tcp_syncookies = 1
This helps to protect from a syn flood attack. If your computer is flooded with
SYN packets from different hosts, the syn backlog queue may overflow. So, this
sends out cookies to test the validity of the SYN packets. This is not so useful on
a heavily loaded server, and it may even cause problems, so it’s better to use it
only on workstations and laptops.
net.ipv4.conf.all.rp_filter = 1
This helps to maintain state and protect against source spoofing. It verifies that
packets coming in on an interface also go out on the same interface. Obviously,
this can confuse multihomed routers, which routinely forward packets from one
interface to another, so don’t use it on them.
No comments:
Post a Comment